WhatsApp has discovered that attackers have used a vulnerability in its app to inject commercial spyware into phones, according to a report on Tuesday (May 14).
The Facebook-owned messaging app found out in early May that attackers could remotely install surveillance software on both iPhones and Android phones, according to a Financial Times report.
The code, which FT said was developed by Israeli company NSO Group, was sent through the app's voice call function to users' phones.
This could be transmitted even if the targets did not pick up the calls, and the calls could also disappear from call logs, said FT citing an un-named spyware technology dealer.
A Facebook security advisory detailed the vulnerability with this description: "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number."
The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15, according to the advisory.
According to FT, WhatsApp began rolling out a fix to its servers on Friday with a patch for customers rolled out on Monday.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” WhatsApp was quoted as saying.
When asked about the WhatsApp attacks by FT, NSO said it was investigating the issue.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company was quoted as saying.
NSO is best known as a supplier of mobile surveillance tools to governments and law enforcement agencies.
It was in the spotlight in 2017 amid allegations that the Mexican government had used its Pegasus mobile spyware to target private citizens.